Four years to fix security vulnerabilities in NX-OS code is way too long. Its amazing that customers accept that Cisco will take years to patch bugs in the latest and most actively developed version for data centre switch AFTER public disclosure. Reporting was done via internal channels from a trusted third party and I can’t see any excuses for such a poor security response.
The exploits, which I formally reported to Cisco, were never made public, until over four years later.
Its clear that Cisco doesn’t care about the security of its products with regular vulnerabilities across all of its products and then very slow reaction and patching.
Summary of Cisco NX-OS security vulnerabilities I uncovered – Maximum Entropy : http://www.feeny.org/summary-cisco-nx-os-security-vulnerabilities-uncovered/
This is on the reporter of the problems. It’s standard to put a clock on a vulnerability, then disclose publicly when the clock expires. If you don’t there is no reason they need to fix it, and there’s possibly even pressure from governments to not fix it.
If there was an NDA in place then that’s a problem, but it isn’t as if there aren’t a ton of security researchers out there that could be tipped off anonymously.
He worked for a vendor partner. That kind of useful honesty doesn’t get rewarded in the culture of Cisco or EMC. He would risk his job and any accrued benefits.